Applies to: Everyone

Because Office 365 services are cloud-based special care must be taken to ensure safe use of Office 365. This includes things like complying with the Family Educational Rights and Privacy Act (FERPA)
and being aware of what data you’re storing in Office 365. This is especially critical when using Office 365 resources from a personal or public device. For instance, FERPA rules prohibit disclosure of
student information to anyone but the student or school administrators acting in an official capacity. If protected information is left behind on a device not owned by the College and is accessed by an
unauthorized party you may be liable.

We have a formal service agreement with Microsoft that protects our information and transfers certain liability should there be an incident. We do not have this kind of agreement with companies like Google or Dropbox.
Using products outside Office 365 to store protected or confidential information is prohibited. We advise you to never store or transmit sensitive information, especially anything within the scope of FERPA,
through other services. You will be held responsible should a breach occur.

Our #1 Security Tip

The IT Department will NEVER ask for your login information via email or online form.

We may ask for your password in person is if it's required to provide you service, like for the YoteTechs or if your employee computer has a major problem and it's only affecting your account. We shred student
passwords after using them and we encourage employees to change theirs after seeing us. Providing your password is completely optional and is only needed to speed service.

If you call us for help, especially if you're a new student or unable to come see us on campus, we may ask for your password to verify that your information matches ours or to try to replicate your problem.
We do our very best to avoid this but sometimes it's required. We will never call you, unsolicited, and ask for your information. Never give any personal information to someone who contacts you unexpectedly and without prompting.

So, just to clarify, the IT Department will NEVER ask for your login information via email or online form.

FERPA 101

The federal regulation known as FERPA applies to all student information kept by the College and its users. Any employee who views or processes protected information is subject to FERPA’s rules,
as is any student whose employment or duties exposes them to protected information. FERPA applies to “eligible students,” which means any student who is 18 or older or has enrolled at a postsecondary
institution. As such, any C of I student is protected by FERPA and, generally, no student information may be shared without the student’s consent.

In brief this means that you may not disclose, discuss, or otherwise distribute student information like course enrollments, grades, GPAs, disciplinary records, or personal information.
The Registrar’s Office provides the College with interpretation and enforcement of FERPA’s rules. Please contact the office to clarify exactly what information is and is not protected by FERPA.
Some students may opt to restrict all of their information, and in that case certain FERPA rules become more restrictive. Use extreme caution when handling this “Directory Hold” information.

Staying Safe in Office 365

When using Office 365 services you need to be aware that synced data could be unintentionally downloaded to an uncontrolled, non-College device. If the device is shared, through any means, there’s a risk
that information could be accessed by an unauthorized third party. This results in a disclosure and breach of FERPA’s protections, putting you and the College at risk of private or Federal legal action.
Office 365 complies with FERPA for data security when it’s stored in the cloud, but once downloaded the burden of security falls to the end user.

So how might this affect you? If you use Office, OneDrive, email, or any other Office 365 application to access protected information you must make sure that the information remains protected when you are
finished. Signing in to Office on your personal device can permit any user to access your OneDrive-based documents. Downloading a document will leave it behind on the device where another user can open and
read it. Setting up email on your phone and not protecting it with a secure lock screen (PIN, pattern, or fingerprint) can let a thief access all of your messages. It’s very important that you keep these risks
in mind when using Office 365. To be safest you shouldn’t access protected information from shared personal devices.

To help protect your information, both in Office 365 and on the wider web, follow these DOs and DON’Ts.

DO

Sign out of Office 365 when you’re finished with it, and sign out of any other site that contains sensitive information

Check and clean your downloads, cookies, and browsing history if you’ve been working with protected information on a shared computer

Access secure sites only over HTTPS; look for the lock icon, the https:// URL, and a verified site owner, all listed in the address bar of your browser

Keep your computer secure with software updates for your operating system and applications

DON'T

Allow sites that host secure information, like Office 365 or financial websites, to save your password or remember you. It’s usually okay to remember your username but we do not recommend storing your password, especially when things use your YoteNet ID for sign in.

Visit a website if your browser shows you a security or certificate warning.

Install software from a website you don’t know or expect to install software. Most of those sites are fake and will give you seriously nasty malware.

Be Aware of What You Share

Like with social media, you should think about what you share with others in Office 365. And you do think about your social media presence, right?

Some of the most powerful features in Office 365 include sharing and collaborating with documents and ideas. You can upload a document to OneDrive, share it with people inside or outside of the College,
and edit it together in realtime. You can post an idea to Yammer for feedback and discussion. But if you aren’t careful with what and how you share information you might publish something that shouldn’t
be published. When sharing documents make sure you know the target person or group. If the information is protected by FERPA this is extra important.

Does the other person need the information? Could anything being shared be damaging if released? Are you setting permissions to let them see it or have full control? Is the group
accurate or does it contain old or unknown members? Is this a public forum where everyone can see it? Who’s everyone, and should they see it?

These kinds of questions have always been important when working with information, but the cloud’s ubiquity and ease of access means information in it is simply more available. Clearly defining where
your information is going is an important first step. The IT Department centrally controls this on campus but our control is different in the cloud. Make sure you know your intended audience and purpose when
you share something in Office 365. Use the principle of least privilege to grant collaborators only what they need to work with you.

If You Suspect a Breach

If you see something, say something. It’s that simple. Report something that isn’t right to the data owner or, if it’s extra serious or high risk, to IT.

If you think your account has been breached your first action should be changing your password. Sign in to a campus computer, press Ctrl-Alt-Del, and click Change a Password.
This will lock out anyone who may have access to your account. If you think protected information in your account may have been targeted let us know right away so that we can start an investigation.
Don’t touch the files you suspect to allow us to perform forensic analysis on them and determine if something’s not right.

Putting it All Together

If you’ve reached this section and aren’t completely terrified, good!
If you ARE completely terrified, don’t be.

Staying safe online is primarily driven by common sense. If something seems off (or too good to be true) it probably is. Skip it and move on without clicking anything or providing any information.
Be alert when you’re online, be conscious of what you’re doing, and be observant as you work and play. And if something does happen or you’re not sure how to handle a situation just contact us.